Previous research about change in Gauss command server proves wrong.

Because of incorrect research contained in the original report, this article previously misidentified a command and control server that was being accessed by computers infected by the Gauss espionage malware. Contrary to that report, the server is operated by researchers with antivirus provider Kaspersky Lab. Such "sinkholes" are used disrupt computer botnets by preventing infected machines from reporting to malicious servers under the control of the malware operator.

Shortly after this article was published, Kaspersky Chief Security Expert Alexander Gostev issued the following statement:

After discovering Gauss we started the process of working with several organizations to investigate the C2 servers with sinkholes. Given Flame's connection with Gauss, the sinkhole process was being organized to monitor both the Flame and Gauss’ C2 infrastructures. It’s important to note that the Gauss C2 infrastructure is completely different than Flame's. The Gauss C2s were shut down in July by its operators and the servers have been in a dormant state by the operators since then. However, we wanted to monitor any activity on both C2 infrastructures.

During the process of initiating the investigation into Gauss C2s and creating sinkholes we notified trusted members of the security and anti-malware community about the sinkhole IP and operation so that they were aware of any activity. FireEye's post about the Gauss C2 samples connecting to the same servers as Flame are actually our sinkholes they're looking at.

With some easy Googling and checking on WhoIs, researchers could have verified all of this.

Since the investigation and sinkhole operation are still in progress we do not have any more information to provide at this time.

The remainder of this story shows how this post originally appeared, although Ars can no longer stand behind most of the research cited.

The Gauss malware recently found spying on thousands of machines located mostly in the Middle East recently began connecting to command servers previously accessed by the state-sponsored Flame trojan that's targeting Iranian computers, providing more proof that the two are linked, a security researcher said.

On Thursday, Ali Islam, a researcher with security firm FireEye, said he recently observed Gauss-infected machines connecting to command servers that use the same IP address as Flame. The Gauss operators did this by mapping the domain addresses secuurity.net and gowin7.com to the Netherlands-based IP address 95.211.172.143, which previously had been seen hosting Flame-infected machines exclusively. With the use of pseudonyms to register the domains, instead of anonymous registration services and the sharing of IP addresses, Islam said the actors don't appear to be trying to hide the affiliation between the two trojans.

(Update: Shortly after this article was published, a Kaspersky researcher said in a series of Twitter dispatches that the server FireEye was observing was a "sinkhole" operated by Kaspersky. Islam said there was no indication this was the case. This article will be further updated once this disagreement is resolved.)

"It seems like these guys are getting more confident and blatant with each passing day," he wrote. "Previously in [the] case of Flame, [an] anonymity feature was used while registering domains. They could have done the same for Gauss but they opted for fake names like Adolph Dybevek, Gilles Renaud, etc. and now they are openly sharing resources and adding more modules/functionalities (banking as [a] recent example) to their malicious software."

Islam went on to say that two of the infected machines FireEye has been monitoring reside in the US and are "part of very well-reputed companies." In an interview, he declined to name or describe the companies, but he said it's unlikely the Gauss attackers infected them by mistake.

"They're definitely doing a lot of new stuff and infiltrating into important companies and using this information for new attacks," he told Ars.

Determining the total number of computers infected by Gauss is hard, since researchers see only those affected machines that are connected to a given security firm's network. By comparing numbers FireEye has with those of other companies, Islam estimated there may be 3,500 infected computers in all.

Like Duqu and Flame, Gauss is highly modular. The design allows operators to add or remove specific components without affecting the overall stability of the malware. Gauss also shares "a fair deal of code" with Flame. Unlike Flame, whose developers went to great lengths to cover their tracks, Gauss code contains digital bread crumbs, including the Microsoft Windows file path c:\documents and settings\flamer\desktop\gauss_white_1, where it was developed. Flame, which was named after one of its main modules, is also known as Flamer. The highest concentration of infections was in Iran, followed by Israel and the Palestinian territories, Sudan, and Syria. Gauss, by contrast, focused on Lebanon, followed by Israel and the Palestinian territories.

Some researchers have theorized that Flame and Duqu may have provided the reconnaissance needed for operations such as Stuxnet. The overall objective of Gauss remains unknown. An encrypted payload contained in one of its modules can only be unlocked and executed on a computer with a very specific, and so far unknown, configuration. Kaspersky researchers are seeking the help of world-class cryptographers to unravel the mystery.

Promoted Comments

Kudos to Ars for the update - both in providing the new information, and in keeping the old article intact. It seems like this kind of followup is relatively rare in modern reporting, and even when it's done there's a tendency to bury the update in the original article without having it bubble back up to the top as a new story.

Just wanted to mention how much I appreciate Ars staying on top of stories like this; it's among the reason you guys are my primary (often only!) source of news.

Thanks!

We appreciate the kind words, Control Group.

And to others who are more critical, we in no way ignored Kaspersky's tweets. To the contrary, we added an update, as the third paragraph, within minutes of seeing tweets from Kaspersky that contradicted the FireEye report. We immediately contacted both companies, and the moment we confirmed the initial report was inaccurate, we published a new headline and a rewritten story top. We also preserved the old copy in an attempt to be transparent about the fact that we no longer stood by the accuracy of what had been reported.

Yes, we could and should have made the correction more clear by using better formatting. That has been fixed now. Please accept our apologies.

Stuxnet was intended to only target computers that lived in locations that were network isolated. The issue is that Stuxnet started to install itself on computers that it wasn't intended to infect and was eventually discovered. The C&C aspect of these last two makes it obvious that they aren't designed for attacks in exclusively network isolated areas like Stuxnet was, but rather areas that probably by themselves don't need to be network isolated. In many espionage cases it's not one big data dump from a single hard to reach source that's important rather all the little pieces you can get from many not as hard to get to locations that provide great returns. Not everything can be network isolated or on private networks only the really important stuff.

"Shortly after this article was published, a Kaspersky researcher said in a series of Twitter dispatches that the server FireEye was observing was a "sinkhole" operated by Kaspersky. "I suppose that explains why such an obvious thing wasn't noticed until now, or why those running the bot would suddenly out themselves now.It makes you wonder how this individual can call himself a 'researcher.'

meta: could we please have the update clearly marked as such (e.g. with italics). It was disconcerting reading this with the update just dumped in front of the body of the article. Is also not clear what is from the original and what if anything was changed.

Kudos to Ars for the update - both in providing the new information, and in keeping the old article intact. It seems like this kind of followup is relatively rare in modern reporting, and even when it's done there's a tendency to bury the update in the original article without having it bubble back up to the top as a new story.

Just wanted to mention how much I appreciate Ars staying on top of stories like this; it's among the reason you guys are my primary (often only!) source of news.

Kudos to Ars for the update - both in providing the new information, and in keeping the old article intact. It seems like this kind of followup is relatively rare in modern reporting, and even when it's done there's a tendency to bury the update in the original article without having it bubble back up to the top as a new story.

Just wanted to mention how much I appreciate Ars staying on top of stories like this; it's among the reason you guys are my primary (often only!) source of news.

Thanks!

We appreciate the kind words, Control Group.

And to others who are more critical, we in no way ignored Kaspersky's tweets. To the contrary, we added an update, as the third paragraph, within minutes of seeing tweets from Kaspersky that contradicted the FireEye report. We immediately contacted both companies, and the moment we confirmed the initial report was inaccurate, we published a new headline and a rewritten story top. We also preserved the old copy in an attempt to be transparent about the fact that we no longer stood by the accuracy of what had been reported.

Yes, we could and should have made the correction more clear by using better formatting. That has been fixed now. Please accept our apologies.

It"s always nice to read an article update that doesn"t alter the original content of the post; other news sites and sources I have seen tend to bury "incorrect" information, thus leaving the article feeling riddled with discontinuities. Being able to read a full-text update/nigh-retraction without missing content is satisfying somehow, reassuring that journalism is self-correcting.

It"s always nice to read an article update that doesn"t alter the original content of the post; other news sites and sources I have seen tend to bury "incorrect" information, thus leaving the article feeling riddled with discontinuities. Being able to read a full-text update/nigh-retraction without missing content is satisfying somehow, reassuring that journalism is self-correcting.

Ars journalism is self-correcting perhaps. So many other sites bury corrections or "silently" update articles, too many examples of how this has been poorly done ran through my head while reading this article.

Well done ars. I'm a harsh critic of reporting on this site in several respects but here you are definitely setting the standard for the industry in professionalism.